Patching Question - "Administrative Login Needed"

(imported topic written by SirFixAlot91)

Hello everyone,

I was hoping to gain a little insight to the systems that fall under the fixlet “Administrative Login Needed”. The information specifies this is a result of the listed computers have a pending operation scheduled in the registry under the:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

I have about 40 computers in this fixlet list and I have manually checked some out and found those with entries under that Key and those that had nothing under that key. I have also noticed that almost all had something scheduled to run under the task scheduler. Before we began using BigFix we had another patching solution that was horrific in that it would not completely install some updates such as the Microsoft GDI. At first I was assuming I would get greeted with that half-complete patch on these 40+ computers, but that has not been the case. I then checked Microsoft update and found the system in question to need 15 “high priority” updates. However, BigFix does not show the system to need any of these updates. This is fairly troublesome because I now have to question whether or not the results I am seeing in the BF console are accurate. In the same system mentioned, I cleared that registry key and the system no longer shows in the Administrative Login needed group, but the patches needed in Windows update still do not propagate. I would hate to think that this means there is no way for me to patch these 40 systems with BF and that I may have a couple hundred patches missing that I thought were installed. Has anyone run into this problem before? If so, what would the recommended course of action be? Also, would there be a secondary tool recommended to “double-check” BF’s patching? I have thought of using MSBA on those systems but I do not prefer that tool.

Any suggestion or information would be greatly appreciated.

Thank you,

Dan.

(imported comment written by BenKus)

Hi Dan,

BigFix will check each file in a patch and makes sure it is installed completely, if it is not, then you should see “corrupt patch” Fixlets relevant on these computers (http://support.bigfix.com/cgi-bin/kbdirect.pl?id=166)… Also, note that Windows Update has its own rating scheme for some reason: http://support.bigfix.com/cgi-bin/kbdirect.pl?id=376 and some of the patches it offers are functionality-based and not security-based…

Ben

(imported comment written by SirFixAlot91)

Hey Ben,

Thanks for the reply, I read the posts but I still have one follow-up question:

If those systems marked as needing administrative login never actually have an admin login, what would the negative impact be? Could I just remove the registry key that creates this notification or is the login truly needed? The main reason I am still confused is that I have logged into some of these systems (I am a Delegated Domain Admin) and they are still listed in this category. Does the login have to be local?

Dan

(imported comment written by BenKus)

Hi Dan,

A few years back, it was fairly common for patches and other installers to put items in the RunOnce key to be run the next time the user logged in. This was convenient for the installer authors because you could avoid issues with files that were locked or in use and it worked fine if you had single users of systems that were administrators. However, this scheme of using RunOnce key had all sorts of downsides for companies that didn’t want to make their users administrators or (in certain cases) if multiple users used the system. In some cases, if a non-admin user logged in, there would error messages… (there were some particularly bad instances of this with some older IE updates).

To help our customers handle these complexities, we introduced the “login needed” Fixlets to show people that something was waiting for an admin to run…

However, in practice today, most companies have figured out that they will piss of their customers if they require an admin login so they avoid it wherever possible… I am not sure about all software packages, but I haven’t seen an MS patch need a login for a while…

I would say that, in general, you can ignore this Login Needed Fixlet unless you have reason to need to look into this (such as if non-admin users are getting errors when they login or you know a certain installer wasn’t working).

Ben

(imported comment written by SirFixAlot91)

Thanks for the background Ben, that certainly coincides with my thinking that those patches are old remnants of the crappy patching solution they were using here before we moved to BigFix. Seeing that I have logged in on about 20% of the 40 or so systems as an admin and nothing ran/finished in addition to the reg keys remaining afterwards, I will ignore this in the meantime. If for some reason these systems then seem to behave differently than the others (not patching or something) I will certainly report back here.

As always, thanks for the help, and I can’t wait until we get our additional BigFix Modules!

Dan